csaf_suse - suse-su-2025:20719-1

SUSE-SU-2025:20719-1

Vulnerability from csaf_suse - Published: 2025-09-22 08:44 - Updated: 2025-09-22 08:44

Summary

Security update for krb5

Notes

Title of the patch

Security update for krb5

Description of the patch

This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219)

Patchnames

SUSE-SLE-Micro-6.0-469

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for krb5",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for krb5 fixes the following issues:\n\n- CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Micro-6.0-469",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20719-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:20719-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520719-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:20719-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041915.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1241219",
        "url": "https://bugzilla.suse.com/1241219"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-3576 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-3576/"
      }
    ],
    "title": "Security update for krb5",
    "tracking": {
      "current_release_date": "2025-09-22T08:44:49Z",
      "generator": {
        "date": "2025-09-22T08:44:49Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:20719-1",
      "initial_release_date": "2025-09-22T08:44:49Z",
      "revision_history": [
        {
          "date": "2025-09-22T08:44:49Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "krb5-1.20.1-7.1.aarch64",
                "product": {
                  "name": "krb5-1.20.1-7.1.aarch64",
                  "product_id": "krb5-1.20.1-7.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "krb5-client-1.20.1-7.1.aarch64",
                "product": {
                  "name": "krb5-client-1.20.1-7.1.aarch64",
                  "product_id": "krb5-client-1.20.1-7.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "krb5-1.20.1-7.1.s390x",
                "product": {
                  "name": "krb5-1.20.1-7.1.s390x",
                  "product_id": "krb5-1.20.1-7.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "krb5-client-1.20.1-7.1.s390x",
                "product": {
                  "name": "krb5-client-1.20.1-7.1.s390x",
                  "product_id": "krb5-client-1.20.1-7.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "krb5-1.20.1-7.1.x86_64",
                "product": {
                  "name": "krb5-1.20.1-7.1.x86_64",
                  "product_id": "krb5-1.20.1-7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "krb5-client-1.20.1-7.1.x86_64",
                "product": {
                  "name": "krb5-client-1.20.1-7.1.x86_64",
                  "product_id": "krb5-client-1.20.1-7.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.0",
                "product": {
                  "name": "SUSE Linux Micro 6.0",
                  "product_id": "SUSE Linux Micro 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sl-micro:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-1.20.1-7.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.aarch64"
        },
        "product_reference": "krb5-1.20.1-7.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-1.20.1-7.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.s390x"
        },
        "product_reference": "krb5-1.20.1-7.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-1.20.1-7.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.x86_64"
        },
        "product_reference": "krb5-1.20.1-7.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-client-1.20.1-7.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.aarch64"
        },
        "product_reference": "krb5-client-1.20.1-7.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-client-1.20.1-7.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.s390x"
        },
        "product_reference": "krb5-client-1.20.1-7.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "krb5-client-1.20.1-7.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.x86_64"
        },
        "product_reference": "krb5-client-1.20.1-7.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-3576",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-3576"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.aarch64",
          "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.s390x",
          "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.x86_64",
          "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.aarch64",
          "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.s390x",
          "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-3576",
          "url": "https://www.suse.com/security/cve/CVE-2025-3576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1241218 for CVE-2025-3576",
          "url": "https://bugzilla.suse.com/1241218"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.aarch64",
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.s390x",
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.x86_64",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.aarch64",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.s390x",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.aarch64",
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.s390x",
            "SUSE Linux Micro 6.0:krb5-1.20.1-7.1.x86_64",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.aarch64",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.s390x",
            "SUSE Linux Micro 6.0:krb5-client-1.20.1-7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-22T08:44:49Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-3576"
    }
  ]
}

CVE-2025-3576 (GCVE-0-2025-3576)

Vulnerability from cvelistv5 – Published: 2025-04-15 05:55 – Updated: 2025-11-13 11:42

Summary

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-328 - Use of Weak Hash

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:11487	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:13664	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:13777	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:15000	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:15001	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:15002	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:15003	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:15004	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8411	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:9418	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:9430	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-3576	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2359465	issue-trackingx_refsource_REDHAT
	https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html

Impacted products

Vendor

Product

Version

Affected: 0 , < 1.22 (semver)

Red Hat	Red Hat Enterprise Linux 10	Unaffected: 0:1.21.3-8.el10_0 , < * (rpm) cpe:/o:redhat:enterprise_linux:10.0
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:1.18.2-32.el8_10 , < * (rpm) cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	Unaffected: 0:1.17-19.el8_2.3 , < * (rpm) cpe:/o:redhat:rhel_aus:8.2::baseos
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Unaffected: 0:1.18.2-9.el8_4.3 , < * (rpm) cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Red Hat	Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	Unaffected: 0:1.18.2-9.el8_4.3 , < * (rpm) cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	Unaffected: 0:1.18.2-16.el8_6.4 , < * (rpm) cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	Unaffected: 0:1.18.2-16.el8_6.4 , < * (rpm) cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	Unaffected: 0:1.18.2-16.el8_6.4 , < * (rpm) cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.8 Telecommunications Update Service	Unaffected: 0:1.18.2-26.el8_8.5 , < * (rpm) cpe:/o:redhat:rhel_tus:8.8::baseos cpe:/o:redhat:rhel_e4s:8.8::baseos
Red Hat	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	Unaffected: 0:1.18.2-26.el8_8.5 , < * (rpm) cpe:/o:redhat:rhel_tus:8.8::baseos cpe:/o:redhat:rhel_e4s:8.8::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.21.1-8.el9_6 , < * (rpm) cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.21.1-8.el9_6 , < * (rpm) cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	Unaffected: 0:1.19.1-16.el9_0.4 , < * (rpm) cpe:/o:redhat:rhel_e4s:9.0::baseos cpe:/a:redhat:rhel_e4s:9.0::appstream
Red Hat	Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	Unaffected: 0:1.20.1-9.el9_2.3 , < * (rpm) cpe:/o:redhat:rhel_e4s:9.2::baseos cpe:/a:redhat:rhel_e4s:9.2::appstream
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:1.21.1-2.el9_4.2 , < * (rpm) cpe:/o:redhat:rhel_eus:9.4::baseos cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Discovery 2	Unaffected: sha256:c499a099e03c7488ffe50529a34723ade191a89fcfc59d1f0edd01db2b579ca3 , < * (rpm) cpe:/a:redhat:discovery:2::el9
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3576",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T13:11:53.062910Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:12:04.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-30T17:02:59.776Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://web.mit.edu/kerberos/",
          "defaultStatus": "unaffected",
          "packageName": "krb5",
          "versions": [
            {
              "lessThan": "1.22",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10.0"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.21.3-8.el10_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-32.el8_10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.2::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.17-19.el8_2.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.4::baseos",
            "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-9.el8_4.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.4::baseos",
            "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-9.el8_4.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-16.el8_6.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-16.el8_6.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-16.el8_6.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_tus:8.8::baseos",
            "cpe:/o:redhat:rhel_e4s:8.8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-26.el8_8.5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_tus:8.8::baseos",
            "cpe:/o:redhat:rhel_e4s:8.8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-26.el8_8.5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.21.1-8.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.21.1-8.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_e4s:9.0::baseos",
            "cpe:/a:redhat:rhel_e4s:9.0::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.19.1-16.el9_0.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_e4s:9.2::baseos",
            "cpe:/a:redhat:rhel_e4s:9.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.20.1-9.el9_2.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:9.4::baseos",
            "cpe:/a:redhat:rhel_eus:9.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.21.1-2.el9_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "discovery/discovery-server-rhel9",
          "product": "Red Hat Discovery 2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:c499a099e03c7488ffe50529a34723ade191a89fcfc59d1f0edd01db2b579ca3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "aap-cloud-metrics-collector-container",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-24/ee-supported-rhel9",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-24/platform-resource-runner-rhel8",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-25/ansible-builder-rhel8",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-25/ee-minimal-rhel8",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-04-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "Use of Weak Hash",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-13T11:42:36.679Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:11487",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:11487"
        },
        {
          "name": "RHSA-2025:13664",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:13664"
        },
        {
          "name": "RHSA-2025:13777",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:13777"
        },
        {
          "name": "RHSA-2025:15000",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:15000"
        },
        {
          "name": "RHSA-2025:15001",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:15001"
        },
        {
          "name": "RHSA-2025:15002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:15002"
        },
        {
          "name": "RHSA-2025:15003",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:15003"
        },
        {
          "name": "RHSA-2025:15004",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:15004"
        },
        {
          "name": "RHSA-2025:8411",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8411"
        },
        {
          "name": "RHSA-2025:9418",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9418"
        },
        {
          "name": "RHSA-2025:9430",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9430"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-3576"
        },
        {
          "name": "RHBZ#2359465",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359465"
        },
        {
          "url": "https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-14T11:00:53.484000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-04-15T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-328: Use of Weak Hash"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-3576",
    "datePublished": "2025-04-15T05:55:26.732Z",
    "dateReserved": "2025-04-14T09:53:43.906Z",
    "dateUpdated": "2025-11-13T11:42:36.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2025:20719-1

CVE-2025-3576 (GCVE-0-2025-3576)

Tags

Sightings

Nomenclature